Introduction

Employers seek cloud risk management professionals who are job-ready to utilize the NIST Risk Management Framework (RMF) and FedRAMP– the de facto U.S. standards for cloud security risk management. FedRAMP employs the NIST RMF as the tool of choice and requires all Cloud Service Providers for the federal government to comply with FedRAMP, and thus the NIST RMF. Similarly, cloud risk management professionals seek a certification which validates they are job-ready to implement the NIST RMF and FedRAMP>

To meet the needs of employers and candidates Mission Critical Institute (MCI) has launched the only performance-based NIST RMF certification, the Certified Cloud Risk Management Professional (CCRMP) to address:

Accelerating cybersecurity staffing shortages

Scarcity of “job-ready” NIST RMF/FedRAMP specialists

Need for performance-based certifications, as opposed to exam-based certifications

Industry Support for the CCRMP

The CCRMP was developed by cybersecurity risk management practitioners who have supported major employers in the public and private sectors including: DoD, FBI, Cisco, Booz Allen Hamilton, ITPG, Raytheon, FERC, DHS, and CACI.

CCRMP Common Body of Practice

CCRMP candidates demonstrate a mastery of the CCRMP Common Body of Practice by satisfactorily producing all deliverables required for implementing the NIST RMF.

The CCRMP Common Body of Practice includes the following seven competencies:

1. Categorize the information system and the information processed, stored, and transmitted by that system

2. Select an initial set of baseline security controls for the information system, based on the security categorization

3. Implement selected security controls and describe how the controls are employed within the information system and its environment of operation

4. Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcomes for meeting the system’s security requirements

5. Authorize the information system operation, based on a determination of the risk and the decision that this risk is acceptable

6. Monitor continuously the security controls in the information system